{"url":"http://public2.vulnerablecode.io/api/packages/40603?format=json","purl":"pkg:pypi/langchain-core@0.1.0","type":"pypi","namespace":"","name":"langchain-core","version":"0.1.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.1.11","latest_non_vulnerable_version":"1.2.11","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36747?format=json","vulnerability_id":"VCID-m5uw-4tqc-3ub8","summary":"LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution.","references":[{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/e1924b3e93d513ca950c72f8e80e1c133749fba5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/e1924b3e93d513ca950c72f8e80e1c133749fba5"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/18600","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/18600"},{"reference_url":"https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain-core/PYSEC-2024-45.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain-core/PYSEC-2024-45.yaml"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-43.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-43.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28088","reference_id":"CVE-2024-28088","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28088"},{"reference_url":"https://github.com/advisories/GHSA-h59x-p739-982c","reference_id":"GHSA-h59x-p739-982c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h59x-p739-982c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40614?format=json","purl":"pkg:pypi/langchain-core@0.1.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@0.1.11"},{"url":"http://public2.vulnerablecode.io/api/packages/69235?format=json","purl":"pkg:pypi/langchain-core@0.1.30","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@0.1.30"}],"aliases":["CVE-2024-28088","GHSA-h59x-p739-982c","PYSEC-2024-43","PYSEC-2024-45"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m5uw-4tqc-3ub8"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@0.1.0"}